Support different key for each tenant

[catchin]

I would find it convenient if each tenant uses a different key for signing the JWTs, so that I can use the mock-oauth2-server to use it for unit-testing authentication against different tenants.
Would this be something that makes sense also for others?

[tommytroen]

This is somewhat tricky to implement in the current architecture as we do not know about the potential "tenants"/"issuers" up front - some of the mock-oauth2-server flexibility comes from not having to configure the issuers up front and supporting any number of issuers (by using the incoming url to construct specific issuer, wellKnown and jwks urls).

You will get different jwks urls for each tenant, so your verification code should use differnet JWKS retrieval objects for each tenant - they just happen to use the same key. Unit testing auth against different tenants should work as expected with the current setup (disregarding the fact that both have the same key "under-the-hood"). Could you elaborate a bit more on how you would write your tests or what you are trying to achieve?

[catchin]

Hi @tommytroen , thanks for the response! To elaborate on my use case: I need to support two different issuers for authentication. In real life, they have different keys.
A simple implementation looks like this: First, try to decode and validate it using issuer1. If this fails due to a different signing key being used, decode and validate it using issuer2.
This implementation cannot be tested using mock-oauth2-server, as the validation never fails because the key is the same.
To mitigate this, one could also verify the issuer and in this case validation would fail.

It is not a critical issue though, perhaps it would already be enough to add a note to the documentation that the same key is used, as multi-tenancy for me suggests that also different signing keys are used. What do you think?

Implementation-wise, I thought of generating the signing keys on demand and caching them for each issuer. But I did not yet dig into the source code how easy this would be to achieve.

[tommytroen]

Thanks @catchin I understand your use case now. Most users would probably check the issuer before verifying the signature, however this is an implementation detail so I understand there are multiple ways to implement this. I'll have a look to see if we can implement this as I think this could probably benefit others. One can only assume so much!

[tommytroen]

@catchin just released a version https://github.com/navikt/mock-oauth2-server/releases/tag/0.3.3 with a fix to your issue.

[catchin]

Thank you @tommytroen, I tried the new version and it works perfectly. 👍